Terraform modules

.github/scripts/prep_module.py

@@ -0,0 +1,108 @@
+"""Script to prepare the module for semantic-release."""
+
+import os
+import sys
+import json
+
+skeleton_contents = {
+    "private": True,
+    "devDependencies": {
+        "@semantic-release/github": "^9.0.3",
+        "semantic-release": "^21.0.5"
+    },
+    "release": {
+        "branches": [
+            "terraform-modules"
+        ]
+    },
+    "plugins": [
+        "@semantic-release/commit-analyzer",
+        "@semantic-release/release-notes-generator",
+        "@semantic-release/github"
+    ]
+}
+
+
+def open_file(filename):
+    """
+    Open a file and return its contents.
+
+    Args:
+        filename: The file to open.
+
+    Returns:
+        dict: The contents of the file.
+    """
+    try:
+        with open(filename, "r") as file:
+            return json.loads(file.read())
+    except FileNotFoundError:
+        raise FileNotFoundError(f"File {filename} not found.")
+
+    # Update the package_json file with skeleton contents
+
+
+def update_package_json(package_json, package_json_skeleton):
+    """
+    Update the package_json file with skeleton contents.
+
+    Args:
+        package_json: The package_json file to update.
+        package_json_skeleton: The skeleton contents to update with.
+
+    Returns:
+        dict: The updated package_json file.
+    """
+    try:
+        package_json_skeleton["name"] = package_json["name"]
+        package_json_skeleton["description"] = package_json["description"]
+    except KeyError as error_message:
+        print("Failed!", str(error_message))
+        sys.exit(1)
+
+    return package_json_skeleton
+
+
+def write_file(filename, contents):
+    """
+    Write the contents to the file.
+
+    Args:
+        filename: The file to write to.
+        contents: The contents to write to the file.
+    """
+    try:
+        with open(filename, "w") as file:
+            file.write(json.dumps(contents, indent=4))
+    except FileNotFoundError:
+        raise FileNotFoundError(f"File {filename} not found.")
+
+
+def main():
+    """Main function."""
+    try:
+        # Load the original package_json file
+        package_json = open_file("package.json")
+    except FileNotFoundError as error_message:
+        print("Failed!", str(error_message))
+        sys.exit(1)
+
+    # Update the package_json file with skeleton contents
+    try:
+        updated_package_json = update_package_json(package_json, skeleton_contents)
+    except KeyError as error_message:
+        print("Failed!", str(error_message))
+        sys.exit(1)
+
+    # Write the updated package_json file
+    try:
+        write_file("package.json", updated_package_json)
+    except FileNotFoundError as error_message:
+        print("Failed!", str(error_message))
+        sys.exit(1)
+
+    print("Processed successfully!")
+
+
+if __name__ == "__main__":
+    main()

.github/workflows/pr-actionlint.yaml

@@ -0,0 +1,23 @@
+name: Action Linting
+on:
+  pull_request:
+    branches:
+      - "terraform-modules"
+    paths:
+      - ".github/workflows/**"
+
+permissions: read-all
+
+jobs:
+  actionlint:
+    name: Action Linting
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Download actionlint
+        id: get_actionlint
+        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+        shell: bash
+      - name: Check workflow files
+        run: ${{ steps.get_actionlint.outputs.executable }} -color
+        shell: bash

.github/workflows/pr-terraform-docs.yaml

@@ -0,0 +1,40 @@
+name: Tf Docs
+on:
+  pull_request:
+    branches:
+      - "terraform-modules"
+
+permissions:
+  contents: write
+
+jobs:
+  generate-matrix:
+    name: Generate matrix
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.get-matrix.outputs.matrix }}
+    steps:
+      - name: Get matrix
+        id: get-matrix
+        uses: hellofresh/action-changed-files@v3
+        with:
+          pattern: modules/(?P<module>[^/]+)
+  write-docs:
+    runs-on: ubuntu-latest
+    needs: generate-matrix
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
+    if: ${{ fromJson(needs.generate-matrix.outputs.matrix).include[0] }}
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+      - name: Render terraform docs inside the README.md and push changes back to PR branch
+        uses: terraform-docs/[email protected]
+        with:
+          working-dir: modules/${{ matrix.module }}
+          output-file: README.md
+          output-method: inject
+          git-push: "true"
+          git-commit-message: "docs: update README.md with terraform-docs"

.github/workflows/release.yaml

@@ -0,0 +1,56 @@
+name: Module release
+on:
+  push:
+    branches:
+      - terraform-modules
+
+permissions:
+  issues: write
+  contents: write
+  pull-requests: write
+
+jobs:
+  generate-matrix:
+    name: Generate matrix
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.get-matrix.outputs.matrix }}
+    steps:
+      - name: Get matrix
+        id: get-matrix
+        uses: hellofresh/action-changed-files@v3
+        with:
+          pattern: modules/(?P<module>[^/]+)
+  release-module:
+    needs: generate-matrix
+    name: Release
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
+    if: ${{ fromJson(needs.generate-matrix.outputs.matrix).include[0] }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 'lts/*'
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+      - name: Install dependencies
+        run: |
+          cd modules/${{ matrix.module }}
+          python3 "${GITHUB_WORKSPACE}"/.github/scripts/prep_module.py
+          npm install
+      - name: Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cd modules/${{ matrix.module }}
+          # shellcheck disable=SC2016
+          npx semantic-release -t ${{ matrix.module }}/'${version}'

modules/s3/README.md

@@ -0,0 +1,49 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_bucket.access_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_logging.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
+| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.bucket2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+| [aws_s3_bucket_versioning.bucket3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+| [aws_s3_bucket_versioning.bucket4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+| [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_access_logging"></a> [access\_logging](#input\_access\_logging) | Whether or not to enable access logging on the bucket | `bool` | `true` | no |
+| <a name="input_access_logging_bucket"></a> [access\_logging\_bucket](#input\_access\_logging\_bucket) | Destination for access logging | `string` | `""` | no |
+| <a name="input_block_public_acls"></a> [block\_public\_acls](#input\_block\_public\_acls) | Enable public acl block | `bool` | `true` | no |
+| <a name="input_block_public_policy"></a> [block\_public\_policy](#input\_block\_public\_policy) | Enable block\_public\_policy | `bool` | `true` | no |
+| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | The name to be assigned to bucket and resources | `any` | n/a | yes |
+| <a name="input_bucket_public_acl"></a> [bucket\_public\_acl](#input\_bucket\_public\_acl) | Whether or not bucket should have a publicly accessible ACL | `string` | `"private"` | no |
+| <a name="input_enable_versioning"></a> [enable\_versioning](#input\_enable\_versioning) | Whether or not to enable object versioning | `bool` | `true` | no |
+| <a name="input_ignore_public_acls"></a> [ignore\_public\_acls](#input\_ignore\_public\_acls) | Enable ignore\_public\_acls | `bool` | `true` | no |
+| <a name="input_restrict_public_buckets"></a> [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Enable restrict\_public\_buckets | `bool` | `true` | no |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

modules/s3/bucket.tf

@@ -0,0 +1,37 @@
+resource "aws_s3_bucket" "this" {
+  #checkov:skip=CKV2_AWS_61: "This is a demo bucket"
+  #checkov:skip=CKV2_AWS_62: "This is a demo bucket"
+  #checkov:skip=CKV_AWS_144: "This is a demo bucket"
+  #checkov:skip=CKV_AWS_145: "This is a demo bucket"
+  #checkov:skip=CKV_AWS_21: "This is a demo bucket"
+  #checkov:skip=CKV2_AWS_6: "This is a demo bucket"
+  bucket = var.bucket_name
+}
+
+resource "aws_s3_bucket_versioning" "this" {
+  bucket = aws_s3_bucket.this.id
+  versioning_configuration {
+    status = var.enable_versioning ? "Enabled" : "Disabled"
+  }
+}
+
+resource "aws_s3_bucket_versioning" "bucket2" {
+  bucket = "${aws_s3_bucket.this.id}-2"
+  versioning_configuration {
+    status = var.enable_versioning ? "Enabled" : "Disabled"
+  }
+}
+
+resource "aws_s3_bucket_versioning" "bucket3" {
+  bucket = "${aws_s3_bucket.this.id}-3"
+  versioning_configuration {
+    status = var.enable_versioning ? "Enabled" : "Disabled"
+  }
+}
+
+resource "aws_s3_bucket_versioning" "bucket4" {
+  bucket = "${aws_s3_bucket.this.id}-4"
+  versioning_configuration {
+    status = var.enable_versioning ? "Enabled" : "Disabled"
+  }
+}

modules/s3/bucket_logging.tf

@@ -0,0 +1,19 @@
+resource "aws_s3_bucket_logging" "example" {
+  count  = var.access_logging ? 1 : 0
+  bucket = aws_s3_bucket.this.id
+
+  # If bucket specified, otherwise use created
+  target_bucket = var.access_logging_bucket == null ? aws_s3_bucket.access_logs[0].id : var.access_logging_bucket
+  target_prefix = "log/${var.bucket_name}"
+}
+
+resource "aws_s3_bucket" "access_logs" {
+  #checkov:skip=CKV2_AWS_61: "This is a demo bucket"
+  #checkov:skip=CKV2_AWS_62: "This is a demo bucket"
+  #checkov:skip=CKV_AWS_144: "This is a demo bucket"
+  #checkov:skip=CKV_AWS_145: "This is a demo bucket"
+  #checkov:skip=CKV_AWS_21: "This is a demo bucket"
+  #checkov:skip=CKV2_AWS_6: "This is a demo bucket"
+  count  = var.access_logging ? var.access_logging_bucket == null ? 1 : 0 : 0
+  bucket = var.access_logging_bucket
+}

modules/s3/bucket_policy.tf

@@ -0,0 +1,14 @@
+resource "aws_s3_bucket_policy" "this" {
+  bucket = aws_s3_bucket.this.id
+  policy = jsonencode({
+    Statement = [
+      merge({
+        Actions   = "*"
+        Effect    = "Allow"
+        Principal = "*"
+        Resource  = "*"
+      })
+    ]
+    Version = "2012-10-17"
+  })
+}

modules/s3/bucket_security.tf

@@ -0,0 +1,23 @@
+resource "aws_s3_bucket_acl" "this" {
+  bucket = aws_s3_bucket.this.id
+  acl    = var.bucket_public_acl != false ? "private" : "public"
+}
+
+resource "aws_s3_bucket_public_access_block" "this" {
+  bucket = aws_s3_bucket.this.id
+
+  block_public_acls       = var.block_public_acls
+  block_public_policy     = var.block_public_policy
+  restrict_public_buckets = var.restrict_public_buckets
+  ignore_public_acls      = var.ignore_public_acls
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
+  bucket = aws_s3_bucket.this.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "aws:kms"
+    }
+  }
+}

modules/s3/package.json

@@ -0,0 +1,4 @@
+{
+  "name": "tjth-s3-bucket",
+  "description": "A terraform module for creating an s3 bucket"
+}